Is it possible to process personal data based on the current consents even after the GDPR has become effective?

Novinky

A question often asked by data administrators and processors in connection with the day of 25 May, 2018, i.e. the date when the GDPR comes into effect.

If the administrators process the personal data based on the subjects’ consents acquired as required by the existing personal data protection regulation, it need not necessarily mean new consents have to be asked for or their validity must be renewed. The Regulation itself stipulates that it is not necessary that the subject should re-grant their consent if the way the original consent has been given is in accordance with the conditions required by GDPR. It is, therefore, necessary to assess case by case whether the consents meet the GDPR requirements.

Below, we provide a list of common mistakes made by administrators when obtaining the consents, which result in their invalidity:

  • involuntariness – granting a consent to personal data processing typically for marketing purposes was one of the conditions for a provision of other unrelated services or goods by the administrator (together with signing a specific contract, the customer must grant a consent without which the service may not be provided)
  • inseparability – the consent is a direct part of the contract text or even included in general business terms only to which the contract relates, and the subject actually “grants” the consent by mere signing it
  • ambiguousness – the purposes for personal data processing are either not expressly stated at all in the consent or are only indicated indirectly; it means that it is not clear what the purposes contain. Also, the consent ought to be granted for each of the purposes separately.

Should the consent fail to meet the requirements in accordance with the GDPR and, hence, be invalid, it need not automatically mean an end to the data processing as the legal title for it may be given by other reasons (meeting legal obligations, legitimate interests, direct marketing etc.) Nevertheless, it is always vital to consider such reasons in the specific cases so that the personal data would not be processed illegally.

If you happen to be encountering issues and questions regarding consents or other problems connected with the GDPR, do not hesitate to turn to our legal team members, who are ready to help.